Organisations who obtain services or products from another country shouldn’t expect to escape the impact of the General Data Protection Regulation (GDPR) when it comes into force next year.
Some offshoring involves outsourcing or contracting out manufacturing to another company. However, it also includes relocating certain parts of a business to another country; for example, the services and products may still be provided in the same country, but they may be manufactured or stored in another country. Organisations generally offshore due to cost. But if you offshore data, this doesn’t mean that you won’t need to comply with the new EU data privacy regulation directive, GDPR.
GDPR: What do you need to know?
The GDPR will come into force from 25 May 2018. The new regulation updates existing data protection laws and will also align all data protection regulations across Europe. To comply with the regulations, companies will have to notify any serious breaches or issues relating to the data the organisation holds. Data subjects who consent to the processing of their data will also gain the right to require that their data is corrected, or removed whenever they wish. Companies that fail to comply with the new regulation could face significant penalties including a fine of up to €20,000,000 or 4% of global annual turnover (whichever is the greater) for serious breaches such as failure to have a lawful reason for processing or third country transfers.
What does it mean for offshore branches?
In order for any kind of data to bee lawfully transferred and processed abroad, the country in question must process and store the data safely and effectively. Furthermore, our rules regarding the handling of the data will remain in place, even if the country is not a member of the EU. For example, India has not received approval by the EU. This could become a major issue in the future, especially as so many companies have call centres in India. Whilst the Indian government intends to pass data protection laws in the future, it remains unclear when this will happen.
How to protect outsourced data?
Companies who wish to outsource to other countries, should bear in mind the following:
- Any contracts must cover the appropriate security obligations to comply with the new regulations. They may also outline the penalties imposed for any activity that fails to comply.
- Any potential outsourcing company must have adequately trained staff to handle the data in line with the new regulation. Organisations should not enter into a contract until they receive guarantees that the company can and will adhere to the rules set out by the EU.
- Encrypt as much of the data as possible. Security is of utmost importance, and could make a huge difference when it comes to whether you are able to adhere to the guidelines properly.
There’s no doubt that in the short term, the GDPR will require additional resources and costs. However, longer term, it ensures organisations store and use data in a much safer and secure way, hopefully resulting in fewer data breaches and less data loss. With less than a year to go before the rules come into force, it’s vital that businesses start acting now.